CVE-2025-55749 HIGH

CVE-2025-55749: The XWiki Jetty package (XJetty) allows accessing any application file through URL

Vendor Xwiki
Product xwiki-platform
Weakness CWE-284
Published December 1, 2025
Last update December 1, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.

Key dates

02Disclosure timeline

December 1, 2025 CVE published
December 1, 2025 Record updated